Petr Škoda

**Name of the Vulnerable Software and Affected Versions** Moodle versions prior to 2.2.2 **Description** The issue is related to an external enrolment plugin context check in Moodle, where capability checks are not thorough. **Recommendations** For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP Spellchecker addon versions prior to 2.0.6.1 for TinyMCE Moodle versions 2.1.x prior to 2.1.10 Moodle versions 2.2.x prior to 2.2.7 Moodle versions 2.3.x prior to 2.3.4 Moodle versions 2.4.x prior to 2.4.1 **Description** The issue arises from improper handling of control characters in the PHP Spellchecker addon, allowing remote attackers to trigger arbitrary outbound HTTP requests via a crafted string. **Recommendations** For PHP Spellchecker addon version prior to 2.0.6.1, update to version 2.0.6.1 or later. For Moodle version 2.1.x, update to version 2.1.10 or later. For Moodle version 2.2.x, update to version 2.2.7 or later. For Moodle version 2.3.x, update to version 2.3.4 or later. For Moodle version 2.4.x, update to version 2.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.3.x through 2.3.0 **Description** The issue allows remote authenticated users to bypass intended alias restrictions in file uploads by using a client that omits the client-side check. **Recommendations** For Moodle versions 2.3.x through 2.3.0, update to version 2.3.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.5 Moodle versions 2.1.x through 2.1.2 **Description** The issue concerns the web services implementation, which fails to properly account for the maintenance-mode state and user attributes during login attempts. This allows remote authenticated users to bypass intended access restrictions by connecting to a webservice server. **Recommendations** For Moodle versions 2.0.x through 2.0.5, update to version 2.0.6 or later. For Moodle versions 2.1.x through 2.1.2, update to version 2.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.2 **Description** The issue allows remote authenticated users to obtain sensitive email address information by reading a full profile page, due to the software not recognizing a configuration setting that makes email addresses visible only to course members. **Recommendations** For Moodle versions 2.0.x through 2.0.2, update to version 2.0.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.3 Moodle versions 2.1.x through 2.1.0 **Description** The issue concerns a lack of authorization check in the `moodle enrol external:role assign` function, allowing remote authenticated users to gain privileges by making a role assignment. **Recommendations** For Moodle versions 2.0.x through 2.0.3, update to version 2.0.4 or later. For Moodle versions 2.1.x through 2.1.0, update to version 2.1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.4 Moodle versions 2.1.x through 2.1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `section` parameter in the `/mod/wiki/lang/en/wiki.php` file. **Recommendations** For Moodle versions 2.0.x through 2.0.4, update to version 2.0.5 or later. For Moodle versions 2.1.x through 2.1.1, update to version 2.1.2 or later.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.0.x through 2.0.4 Moodle versions 2.1.x through 2.1.1 **Description** The issue allows remote attackers to hijack the authentication of arbitrary users for requests that modify wiki data due to multiple cross-site request forgery (CSRF) vulnerabilities in mod/wiki/ components. **Recommendations** For Moodle versions 2.0.x through 2.0.4, update to version 2.0.5 or later. For Moodle versions 2.1.x through 2.1.1, update to version 2.1.2 or later.